White and Case, a top NYC law firm, posted a survey on Data Security Breach Notifications on September 26, 2005. >From the press release: "Victims of personal data security breaches are showing their displeasure by terminating relationships with the companies that maintained their data, according to a new national survey sponsored by global law firm White & Case. The independent survey of nearly 10,000 adults, conducted by the respected privacy research organization Ponemon Institute, reveals that nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach." White and Case Press release: http://www.whitecase.com/news/news_detail.aspx?newsid=11731&type=News%20Releases White and Case Paper: http://www.whitecase.com/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf My research takes a macro approach: "The keynote address will cover reputational risk in light of recent disclosures of high profile security incidents at such institutions as CitiFinancial (Citigroup), Bank of America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph Lauren. The presentation will create a framework for understanding reputational risk in light of these recent events that may be applicable to responding to future incidents." In the paper I ask: "If 40 million customer credit card numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not cancel their Visa and/or Mastercard?" Reputational Risk Keynote Presentation: http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf I am concerned that the survey is self-selecting. In other words, the people responding to the survey already have a disposition one way or the other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2% (42,279) did not reply! I'm not a statistician; is 17.8% statistically significant to determine a general consensus? The papers may not be directly contradictory to one another. Please keep that in mind. I would be interested to know other's opinions on the matter. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com
